Описание
Argo-cd authenticated users can enumerate clusters by name
Impact
It’s possible for authenticated users to enumerate clusters by name by inspecting error messages:
It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.11.3 v2.10.12 v2.9.17
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd
Credits This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
Пакеты
github.com/argoproj/argo-cd
>= 0.11.0, < 2.9.17
2.9.17
github.com/argoproj/argo-cd
>= 2.10.0, < 2.10.12
2.10.12
github.com/argoproj/argo-cd
>= 2.11.0, < 2.11.3
2.11.3
Связанные уязвимости
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Уязвимость декларативного инструмента непрерывной доставки GitOps для Kubernetes Argo CD, связанная с недостатками механизма формирования отчетов об ошибках, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации